I had another question, if there is a pop-up message, if Defender stops a threat - and your linked video clearly shows, that a pop-up message appears. There even comes warning messages, if you want to install the malicious software.
The popups are from the Blocked malware samples.
When you see the Missed item in the console, that sample continues to run, and that can generate the popup, warning messages, to install, or already is installed.
Why did Defender not block the download of the malware files?
Download links are based on reputation of the url, if it's a new malware on a new url, the url still has a good reputation, the more it get investigated/ clouds sample upload scans automated to learn about the file. If the file does bad/hostile things, the url will getting a bad reputation. So then with definition updates, the urls will have bad reputation and will be blocked. Only takes some time... thats why some new malware sample still get trough. Defender definitions updates every 4hours.
When he executed / activated the malware files, they almost instantly was blocked by Defender, impressive.
The script only downloads the file, and when script tries to execute the file, Blocked is shown, if the file is already move to quarentine. If script can run the file, it outputs Missed. So before the code can execute the exe it downloaded, it is already gone.
How this works.
You might have noticed on machines, when you have folder, with big .exe files, it might take a while for all exe's to load there Icons. Just before accessing the file/showing the icon, microsoft defender scans the file. And so can catch/stop before the user or any application that accesses the file to to execute something bad. In this case explorer.exe accesses the .exe file, to retrieve the icon. And so the defender kicks in.
Example what i talk about, with icons still not loaded.
Then Windows Defenders, has functions like EventWatcher, for example for the filesystem.
The FileSystem EventWachters is lisening on all the non-exluded files on the drive.
So when a file is downloaded some where on C: Windows will generate an Event. The programs that listen to those events, will get a notification directly when this happens. So when the file is created at the same moment defenders knows that is happend, and so will scan the file. Even before other application or the user will access the file! Thats why it's catching it so fast!
In the older days, when i made a program, that would check if a file was created in a folder, i would write a loop, and check the folder every second to see if a new file is in there. Now using those EventWatchers to monitor a file location. It does not have to loop, cost less cpu, and the moment the file is created(within a micro/nanosecond), the applications get a notification, and you can execute your code based on that.
This data comes from the kernel it self.
Read more about the filesystemwatcher:
FileSystemWatcher Class (System.IO)
Perhaps Microsoft defender, even gets it faster then this filesystemwatcher as, it is a microsoft product, and so maybe can even get faster access directly from the kernal, then the api i write about.
